2009 10 02 larry clinton isa overview geared to estonian foreign affairs people

7/31/2019 2009 10 02 Larry Clinton ISA Overview Geared to Estonian Foreign Affairs People

http://slidepdf.com/reader/full/2009-10-02-larry-clinton-isa-overview-geared-to-estonian-foreign-affairs-people 1/47

Larry ClintonPresident

Internet Security [email protected]

703-907-7028

202-236-0001



Larry Clinton President ISA

• Former Academic came to DC in mid-80s

• Legislative Director for Chair Congressional Internet Committee

• 12 years w/USTA including rewrite of telecommunications law & WIPO

• Joined ISA in 2002 w/former Chair Congressional IntelligenceCommittee

• Written numerous articles on Info Security, edited Journals, testifybefore Congress, electronic and print media

• Boards: US Congressional I-net Caucus I-Net Education foundation,Cyber Security Partnership, DHS IT and Telecom Sector CoordinatingCommittee, CIPAC, CSCSWG



ISA Board of Directors

Ty Sagalow, Esq. Chair President Innovation Division, ZurichTim McKnight Second V Chair,

CSO, Northrop Grumman

• Ken Silva, Immediate Past Chair. CSO VeriSign • Gen. Charlie Croom (Ret.) VP Cyber Security, Lockheed Martin• Jeff Brown, CISO/Director IT Infrastructure, Raytheon• Eric Guerrino, SVP/CIO, bank of New York/Mellon Financial

• Lawrence Dobranski, Chief Strategic Security, Nortel• Pradeep Khosla, Dean Carnegie Mellon School of Computer Sciences• Joe Buonomo, President, DCR• Bruno Mahlmann, VP Cyber Security, Perot Systems• Linda Meeks, VP CISO Boeing corp.

J. Michael Hickey, 1st Vice Chair VP Government Affairs, Verizon

Marc-Anthony Signorino, Treas.National Assoc. of Manufacturers



Core Principles

1. The Internet Changes Everything

2. Cyber Security is not an "IT" issue

3. Government and industry must

rethink and evolve new roles,

responsibilities and practices to

create a sustainable system of cyber

security



ISAlliance Mission

Statement

ISA seeks to integrate advancements in

technology with pragmatic business needs andenlightened public policy to create a

sustainable system of cyber security.



Our Partners



The Old Web



The Web Today

Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html



Post 9-11 Cyber SecurityPolicy

• National Strategy to Secure Cyber Space

• DIB Effort

• Comprehensive National Cyber Initiative(CNCI)

• CSIS and ISA Proposals to Obama/

Congress

• 60-day review & Obama Speech (5/29/09)



Releasing the Cyber Security Social ContractNovember, 2008



ISA Cyber Social Contract

• Similar to the agreement that ledto public utility infrastructuredissemination in 20th C

• Infrastructure develop -- market

incentives• Consumer protection through

regulation• Gov role is more creative—harder

—motivate, not mandate,compliance

• Industry role is to developpractices and standards andimplement them



Obama speaks on cyber security

Presidential Priority

“My administration will pursue a new comprehensiveapproach to securing America’s digital infrastructure.

This new approach starts at the top with thiscommitment from me: From now on, our digitalinfrastructure – the networks and computers wedepend on every day – will be treated as theyshould be: as a strategic national asset. Protecting

this infrastructure will be a national securitypriority.”

(President Obama, May 29, 2009)



President Obama’s Report onCyber Security (May 30 2009)

• The United States faces the dual challenge of maintaining an environment that promotesefficiency, innovation, economic prosperity,and free trade while also promoting safety,

security, civil liberties, and privacy rights.(President’s Cyber Space Policy Review pageiii)

• Quoting from Internet Security Alliance Cyber

Security Social Contract: Recommendationsto the Obama Administration and the 111thCongress November 2008



The Economy is reliant on theInternet

• The state of Internet security is erodingquickly. Trust in online transactions isevaporating, and it will require strong

security leadership for that trust to berestored. For the Internet to remain the

juggernaut of commerce and productivity it

has become will require more, not less,input from security. PWC Global Cyber Security Survey 2008



CURRENT ECONOMIC INCENTIVESFAVOR ATTACKERS

• Attacks are cheap and easy

• Vulnerabilities are almost infinite

• Profits from attacks are enormous ($ 1TRILLION in 08)

• Defense is costly (Usually no ROI)

• Defense is often futile

• Costs of Attacks are distributed



The need to understand businesseconomics to address cyber issues

» If the risks and consequences can be assignedmonetary value, organizations will have greater ability and incentive to address cybersecurity. Inparticular, the private sector often seeks a business

case to justify the resource expenditures needed for integrating information and communications systemsecurity into corporate risk management and for engaging partnerships to mitigate collective risk.Government can assist by considering incentive-

based legislative or regulatory tools to enhance thevalue proposition and fostering an environment thatencourages partnership.” --- President’s Cyber Space Policy Review May 30, 2009 page 18



Regulation vs. Incentives

• ISA Social Contract argues vs. regulationwhich is slow/limited in effect/anti-UScompetitiveness/anti-security and won’t

work.

• Obama: “Let me be very clear, we are notgoing to regulate cyber security standards

to the private sector.” (May 29 2009)



President Obama’s Report on Cyber Security(May 30, 2009)

» The government, working with State and local partners,should identify procurement strategies that will incentivizethe market to make more secure products and servicesavailable to the public. Additional incentive mechanismsthat the government should explore include adjustments toliability considerations (reduced liability in exchange for improved security or increased liability for theconsequences of poor security), indemnification, taxincentives, and new regulatory requirements andcompliance mechanisms. President’s Cyber Space Policy

Review May 30, 2009 page v

» Quoting Internet Security Alliance Cyber Security SocialContract: Recommendations to the Obama Administrationand 111th Congress



Proposed Incentives: Liability

» The Federal government should consider options for incentivizing collective action and enhancecompetition in the development of cybersecuritysolutions. For example, the legal concepts for

“standard of care” to date do not exist for cyberspace. Possible incentives include adjustmentsto liability considerations (reduced liability inexchange for improved security or increased liabilityfor the consequences of poor security),

indemnification, tax incentives, and new regulatoryrequirements and compliance mechanisms. ---Obama Administration’s Report on Cyber SecurityMay 2009 page 28)



Obama Action Plan: International

• Near Term Action Plan Item 7

“Develop US Government positions for an

international cyber security policyframework and strengthen our international partnerships to createincentives that address the full range of

activities, policies, and opportunitiesassociated with cyber security” (ObamaCyber Space Policy Review P. 37)



Securing the IT Supply Chain

» The challenge with supply chain attacks is that asophisticated adversary might narrowly focus onparticular systems and make manipulation virtually

impossible to discover. Foreign manufacturing doespresent easier opportunities for nation-stateadversaries to subvert products; however, the samegoals could be achieved through the recruitment of key insiders or other espionage activities. ----

President’s Cyber Space Policy Review May 30,2009 page 34



The Danger

• Electronic Components (e.g. chips) could be infiltrated byhostile agents in the supply chain

• Alter the circuitry or substitute counterfeit circuitry

• Malicious firmware functions like malicious softwaregiving attacker control of the information system

• EG a logic bomb could be triggered by certain activity

•

Shut down the system or turn it against the owner • Impossible to detect



Possible Solutions

• Domestic only production?

• Inconsistent with Obama approach to

Cyber Security

• Cost more than govt. willing to pay

• Crash critical portions of the industry

• Harm the US both from a securityperspective and economic perspective



Likelihood of Supply Chain Attacks

• Limited targets for supply chain attacks

• Expensive

• Time consuming

• Can only be deployed once

• Probably easier ways to do most attacks

• Nation states might not be deterred

• Sophisticated Criminal activity



National Risk Continuum

C o n s e q u e

n c e

Very low Very high

N a t i o n - s t a t e / u n l i m i t e d r e s o u r c e s

N a t i o n - s t a t e / t e r r o r

i s t

l i m i t e d r e s o u r c e s

N a t

i o n - s t a t e /

S t e a l

C r i m

i n a l

g a n g

V e r y l o w

Hackers P r o j e c t p o w e r / d a m a

g e o r d e s t r o y

P r o j e c t p o w e r

S e v e r e



ISA Supply Chain Project

• 18 months long (start fall 07)

• Focus on firmware

• Carnegie Mellon University and Center for Cyber Consequences Unit

• 3 conferences

•

100 Gov., Industry and Academic participants• Results are strategy and framework provided to

USG for NSC 60-day review of cyber policy



ISA/CMU Study Results

1. Globalization of IT Supply Chain will increase

2. USG reliance on IT will also increase

3. Threat from IT supply chain significant for USG4. “USG-only” solution impractical

5. Attackers will be fluid and creative so fixedpolicies will be ineffective long term

6. Need a flexible framework of solutions7. Framework must account for both security and

cost



The ISA Strategy/Framework

• Solve the supply chain problem in a way that ALSO produces other security benefits thus justifying the increased expenditure

• Businesses are not suffering greatly from supplychain attacks, but are suffering from other attacks

• Key is to make the entire supply chain secure,i.e. supply chain must be part of acomprehensive framework



Types of Attacks

• Interrupt the operation

• Corrupt the Operation

• Discredit the Operation

• Undermine the basis of the operation



Types of Supply Chain Attacks &Remedies

1. Interrupt Operation: Maintain alternative sources andcontinual sharing of production across chain

2. Corrupt Operation (e.g. insert malware): strict control of environment where key IP is being applied, logical andphysical tamper proof seals/tracking containers

3. 3. Discredit the operation (undermine trust or brand

value): logging operation and responsibility

4. 4. Loss of information: Versioning as a tool for protecting IP



Framework: Stages When Attacks

May Occur

1. Design Phase

2. Fabrication Phase

3. Assembly Phase

4. Distribution Phase

5. Maintenance Phase



Framework: Legal Support Needed

1. Rigorous contracts delineating securitymeasures

2. Locally responsible corporations w/long term

interest in complying3. Local ways of motivating workers and

executives

4. Adequate provision for verifying implementationof security

5. Local law enforcement of agreements at alllevels



The Multi-State Agency Problem

• US Federal Government JurisdictionDiffuse

• Health Care=HIPPA

• Financial Services = GLB

• Chemical Facilities = DHS

• FTC ALSO covers all with “unfair or deceptive acts?

• 50 states have “mini-FTC” Acts



EU Has Right Solution

• Strictest laws and multi jurisdictions

• European Union Safe Harbor Framework

• US companies can comply by following 7Principles (Notice/Op-Out choice/3-PartyTransfer protections/Personal Access/

Data Integrity/Enforcement• Consistent with Obama Policy



Outdated Laws in the Digital AgeObama Report: Conclusion

– The history of electronic communications in the United Statesreflects steady, robust technological innovation punctuated bygovernment efforts to regulate, manage, or otherwise respond toissues presented by these new media, including securityconcerns. The iterative nature of the statutory and policydevelopments over time has led to a mosaic of government lawsand structures governing various parts of the landscape for information and communications security and resiliency.Effectively addressing the fragmentary and diverse nature of the

technical, economic, legal, and policy challenges will require aleadership and coordination framework that can stitch thispatchwork together into an integrated whole. President’s Cyber Space Policy Review May 30, 2009 page C-12



Developing SCAP Automated Security & Assurance for VoIP & Converged Networks

September, 2008



ISA Unified Communications Legal

Compliance Analysis (June 2009)

1.Descibes available UnifiedCommunications (UC) Technologies

2. Describes Security Risks of Deployment

3. Inventory of Laws to be considered predeployment

4. Analysis if ECPA creates a legal barrier to

deployment5 Toolkit for lawyers and clients to assist in

avoiding exposure from deployment



Information Sharing

• Problem Clearly needs additional work

• DIB model results, good, but someproblems and not scalable

• Trust is built on mutual exchange

• Alternatives:

• British Consultancy Model

• Roach Motel Model



Roach Motel: Bugs Get In Not Out

• No way to stop determined intruders

• Stop them from getting back out (w/data)by disrupting attackers command and

control back out of our networks• Identify web sites and IP addresses used

to communicate w/malicious code

• Cut down on the “dwell time” in thenetwork

• Don’t stop attacks—make them less useful



Old Model for Info Sharing

• Big Orgs may invest in Roach Motel (traffic& analytical methods) small orgs.never will

• Many entities already rept. C2 channels(AV vend/CERT/DIB/intelligence etc.)

• Perspectives narrow

• Most orgs don’t play in info sharing orgs

• Info often not actionable

• Lack of trust



New Model (based on AV model)

• Focus not on sharing attack info

• Focus IS ON disseminating info on attacker C2URLs & IP add & automatically block

OUTBOUND TRAFFIC to them• Threat Reporters (rept malicious C2 channels)

• National Center (clearing house)

•

Firewall Vendors (push info into field of deviceslike AV vendors do now)



Threat Reporters

• Govt/private/commecial orgs apply

• analytical capability to discover, C2 sitesvia malware reverse engineering

• Gov certified so there would be trust intheir reports

• Only report malware C2 info (web site/Ipaddress) & type (e.g. botnet)

• Can use Certification for branding



National Clearinghouse

• Receive reports and rapidly redistribute tofirewall device vendors

• Track validity of reports for re-certification

• Focus is rapid dissemination of automatically actionable info



Firewall Providers

• Producers of devices capable of blockingoutbound web traffic

• Accept data from clearinghouse

• Reformat as needed

• Recalculate to customers as quickly aspossible



Incentives

• Threat reporters: certification for branding

• Gov: secure industrial base low costdevelop common operating picture

• Firewall device vendors: new market

• Medium & small companies; Security atlow cost in both money and time

• Increase trust in internet



Larry ClintonPresident

Internet Security [email protected] 703-907-7028202-236-0001

2009 10 02 larry clinton isa overview geared to estonian foreign affairs people

Documents